A phishing attack on the Oregon Department of Human Services (ODHS) resulted to the potential compromise of the personal information of 645,000 clients.

The phishing attack began on January 9, 2019, which got 9 ODHS employees clicking on links in the emails and exposing their login details.

On January 28, ODHS and the Department of Administrative Services Enterprise Security Office found out about the breach after receiving reports from employees that their email accounts were accessed. Immediately, the employee email accounts were identified and made secure. Any remote access to the email accounts were blocked.

ODHS investigated the breach to find out which PHI were viewed and who were the affected patients. It took some time to do this process, which involved looking at approximately 2 million email messages.

The attackers had access to the compromised accounts and email messages for 19 days. ODHS confirmed that the attackers did not install any malware but they likely viewed or acquired the following personal information: names, contact details, case numbers, sensitive health data and Social Security numbers.

On March 21, when ODHS confirmed that the breach involved PHI, a substitute breach notice was posted on its website. A call center was created to give affected people more details about the breach. Nevertheless, ODHS has not sent breach notifications to individuals until June 21.

ODHS supervises programs associated with child welfare, people with handicaps, and seniors and handles a number of the most vulnerable people in Oregon. ODHS has a $1 million identity theft reimbursement insurance policy to cover people in case of harm. There’s also an offer of free one year credit monitoring and identity theft recovery services to all affected people.

Spokesperson of ODHS, Robert Oakes, referred to this email attack as extremely sophisticated. ODHS already stopped access to the breached email web app and will continue to perform internal security audits to vulnerabilities. Vulnerabilities will also be subjected to a HIPAA-compliant risk management process. Employees had further training on security awareness and such training about the dangers from phishing will continue.